The small business exemption ends on 1 July 2026. Are you ready?
From 1 July 2026, the Privacy Act small business exemption is removed. If you collect, store, or use personal information — customer data, staff records, email lists — you need to comply with the Australian Privacy Principles. The Privacy Act Compliance Sprint gets you there in four to six weeks.
"Our accountant mentioned that the Privacy Act exemption for small businesses is ending in July. We're not sure what that means for us."
Most small businesses first heard about this from their accountant or a news article. The answer: you need documented privacy practices before 1 July.
"A client asked whether we have a privacy policy and how we handle their customer data. We don't have anything documented."
Enterprise clients are already asking their vendors about privacy compliance. Not having documentation is a barrier to winning and keeping work.
"Our insurer asked about our privacy practices as part of a cyber insurance application. We couldn't answer the questions."
Cyber insurance applications now routinely include privacy compliance questions. Undocumented practices mean you can't honestly answer them.
"We handle customer personal information — addresses, email, purchase history. We assumed we were exempt. Apparently that's changing."
The exemption was designed for low-risk data handling. The 1 July change removes it entirely for businesses turning over under $3M.
What about APP 11? The Australian Privacy Principles include APP 11 — the requirement to take reasonable steps to protect personal information from misuse, interference, and loss. This means security controls, not just a policy document. The sprint includes an APP 11 security controls assessment, because a privacy policy without underlying security controls is incomplete.
Privacy compliance gap assessment
Structured assessment against all 13 Australian Privacy Principles (APPs 1–13). Documents what you have, what's missing, and what the sprint will address.
Privacy Policy
Drafted, reviewed, and ready to publish. Written to reflect your actual data handling practices — not a template that misrepresents what you do.
Data inventory
Documented record of what personal information is collected, held, used, and disclosed — by category, system, and purpose. Required for APP 1 compliance.
APP 11 security controls assessment
APP 11 requires reasonable steps to protect personal information. This assessment maps your current technical controls against that standard and identifies gaps. A privacy policy without this is incomplete. If gaps are identified, a follow-on technical engagement closes them.
Breach response procedure
Step-by-step process for the 30-day eligible data breach notification requirement, including internal escalation steps, OAIC notification template, and client notification guidance.
Privacy Management Plan + staff guide
Internal procedures for handling personal information, and a plain-language staff guide for employees who collect or handle customer data.
A privacy policy without security controls isn't compliant — it's a liability.
APP 11 requires you to take reasonable steps to protect personal information from misuse and unauthorised access. That means technical controls: access management, encryption at rest, secure disposal. CyberCraft can deliver both the privacy documentation and the underlying security assessment in one engagement. If the APP 11 assessment finds control gaps, we scope the technical remediation as a follow-on — not an upfront requirement that blocks the sprint.
Book and pay — immediate start
Use the configurator below to get your fixed price. Book directly. We schedule the intake interview within three business days of payment.
Intake interview — one hour
Structured interview covering your data handling practices, systems used, existing documentation, and the specific requirement driving the sprint.
Gap assessment, APP 11 review, and documentation drafting
CyberCraft maps findings against the APPs, assesses security controls against APP 11, and drafts all documentation. No further client time required during this phase.
Review call and final delivery
One-hour review session to walk through the draft documentation. Amendments applied. All documents delivered in editable and PDF formats.
Privacy Act Compliance Sprint — Pricing Configurator
Three questions. Instant price. Booking confirmed immediately.
↳ JS configurator to be built. Inputs: staff count (1–20 / 21–100 / 101+), existing docs (none / partial / yes), industry (standard / high-risk: healthcare, finance, legal).